Dear Ritesh Tripathi:
Thank you again for such a wonderful reply.
Now I have idea how to solve my problem.
Wishing you and yours a safe, healthy, and prosperous new year!
Sincerely
Chunyao Wang
Ritesh Tripathi 在 2021年1月1日 星期五下午4:01:04 [UTC+8] 的信中寫道:
> Dear Chun-Yao,
>
> 1. OpenLDAP offers Password policy implementation - pl see
> https://tobru.ch/openldap-password-policy-overlay/. You don't need to opt
> for Apache-DS as you already have openLDAP.
> 2. The CAS interacts with LDAP server using the standard - ldaptive java
> library. https://www.ldaptive.org/
> 3. The error codes - that are given by the LDAP Server - are translated to
> the end user messages inside CAS. Pl have a look at messages.properties
> file inside CAS [you can get this file either by gradlew explodewar command
> or equivalent or this file is inside tomcat\webapps\cas\WEB-INF\classes
> path, its advisable that you follow overlay standards and keep this
> separate like your application.properties file.] and customize the messages
> as per your requirements [that you want the user to see]. The concerned
> properties are
>
> authenticationFailure.AccountDisabledException=This account has been
> disabled.
> authenticationFailure.AccountLockedException=This account has been locked.
> authenticationFailure.AccountExpiredException=This account has expired and
> is forbidden to login at this time.
> authenticationFailure.CredentialExpiredException=Your password has expired.
>
> There are many more - pl see the authentication failure messages section
> in the messages.properties.
>
> Now - when you are giving the messages - all HTML Tags are supported.
>
> Example - This account has been locked ....BLA...BLA.....BLA . Visit -
> <a href="http://www.abc.com";>Identity server self service</a> to take
> corrective actions.
>
> So - please customize the messages as per your requirements and your job
> should be done. The above will possibly be the easiest method for
> implementation of your use cases.
>
> Best Regards
>
> Ritesh Tripathi
>
> On Fri, Jan 1, 2021 at 11:46 AM Chun-Yao Wang <[email protected]>
> wrote:
>
>> Dear Ritesh Tripathi:
>>
>> I’m very grateful for your speedy reply, this is the best New Year
>> gift I have got!!
>> Before I read you post, it never came to my mind that the password
>> policy can be set in LDAP.
>> I am using the CAS6.0+OpenLdap on Ubuntu server, I will try your
>> suggestion and test it.
>>
>> Could you allow me to ask some more question?
>>
>> 1. Can CAS show a "Account Locked due to too much attempt" message to
>> user when the user's account was lock?
>> 2. Can I redirect the user to my specific url when the user password
>> is expired?
>>
>> Thank you so much for your reply!
>> Best Regards & Best Wishes for New Year 2021!
>>
>> Sincerely
>> Chunyao Wang.
>> Ritesh Tripathi 在 2020年12月31日 星期四下午11:55:31 [UTC+8] 的信中寫道:
>>
>>> Dear Chun-Yao,
>>>
>>> Apache DS is LDAP Server. In all LDAP Server - including the
>>> implementation of LDAP by Microsoft - which is called Active Directory -
>>> have the feature of Password Policies. [Pl see -
>>> https://ldapwiki.com/wiki/Password%20Policy]
>>>
>>> Apache DS also offers the password policy ;complying to the Draft
>>> Specifications of Password Policy -
>>> https://ldapwiki.com/wiki/Draft-behera-ldap-password-policy
>>>
>>> These can be easily configured in the Directory Studio Admin - by
>>> opening the configuration file - going to Password Policies Tab. Pl see the
>>> screenshot enclosed below [red indicates the parameters in your case to be
>>> added to the system].
>>>
>>> [image: image.png]
>>>
>>> The CAS properties that i used for getting the application up and
>>> running are given below. [version 6.2.x for CAS].
>>>
>>> #########local LDAP Connection String for authentication using the
>>> Managers Bind Tested as OK on localhost.#################
>>> cas.authn.ldap[0].ldapUrl=ldap://localhost:389/
>>> cas.authn.ldap[0].bindDn=uid=admin,ou=system
>>> cas.authn.ldap[0].bindCredential=xxxx
>>>
>>> cas.authn.ldap[0].poolPassivator=BIND
>>> #cas.authn.ldap[0].connectionStrategy=DEFAULT
>>>
>>> #cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>>> cas.authn.ldap[0].type=AUTHENTICATED
>>> #cas.authn.ldap[0].useSsl=false
>>> cas.authn.ldap[0].useStartTls=false
>>> cas.authn.ldap[0].baseDn=dc=tbitslocal,dc=com
>>> cas.authn.ldap[0].subtreeSearch=true
>>> cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
>>>
>>> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile,ou
>>> cas.authn.ldap[0].minPoolSize=3
>>> cas.authn.ldap[0].maxPoolSize=10
>>> cas.authn.ldap[0].blockWaitTime=PT3S
>>> #cas.authn.ldap[0].useSsl=false
>>> cas.authn.ldap[0].useStartTls=false
>>> cas.authn.ldap[0].responseTimeout=PT5S
>>> cas.authn.ldap[0].allowMultipleDns=false
>>> cas.authn.ldap[0].allowMultipleEntries=false
>>> cas.authn.ldap[0].followReferrals=false
>>> cas.authn.ldap[0].name=localhostLDAP
>>>
>>> #################LDAP Password Policy##############################
>>> cas.authn.ldap[0].passwordPolicy.type=GENERIC
>>> cas.authn.ldap[0].passwordPolicy.enabled=true
>>>
>>> cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
>>> cas.authn.ldap[0].passwordPolicy.loginFailures=5
>>> #cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
>>> #cas.authn.ldap[0].passwordPolicy.warningAttributeName=
>>> cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
>>> cas.authn.ldap[0].passwordPolicy.warnAll=true
>>> cas.authn.ldap[0].passwordPolicy.warningDays=1
>>> cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true
>>>
>>>
>>> #############Properties for LDAP Password Management############
>>> cas.authn.pm.ldap[0].type=GENERIC
>>> cas.authn.pm.ldap[0].username-attribute=uid
>>> cas.authn.pm.ldap[0].ldapUrl=ldap://localhost:389/
>>> cas.authn.pm.ldap[0].bindDn=uid=admin,ou=system
>>> cas.authn.pm.ldap[0].bindCredential=xxxx
>>> cas.authn.pm.ldap[0].poolPassivator=BIND
>>> cas.authn.pm.ldap[0].connectionStrategy=RANDOM
>>> cas.authn.pm.ldap[0].connect-timeout=PT5S
>>>
>>> #cas.authn.pm.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
>>> #cas.authn.pm.ldap[0].type=AUTHENTICATED
>>> #cas.authn.pm.ldap[0].useSsl=false
>>> cas.authn.pm.ldap[0].useStartTls=false
>>> cas.authn.pm.ldap[0].baseDn=dc=tbitslocal,dc=com
>>> cas.authn.pm.ldap[0].subtreeSearch=true
>>> cas.authn.pm.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
>>>
>>> #cas.authn.pm.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile
>>> cas.authn.pm.ldap[0].minPoolSize=3
>>> cas.authn.pm.ldap[0].maxPoolSize=10
>>> cas.authn.pm.ldap[0].blockWaitTime=PT3S
>>> #cas.authn.pm.ldap[0].useSsl=false
>>> cas.authn.pm.ldap[0].useStartTls=false
>>> cas.authn.pm.ldap[0].responseTimeout=PT5S
>>> cas.authn.pm.ldap[0].allowMultipleDns=false
>>> cas.authn.pm.ldap[0].allowMultipleEntries=false
>>> cas.authn.pm.ldap[0].followReferrals=false
>>> cas.authn.pm.ldap[0].name=localhostLDAP_PM_Feature
>>>
>>> #######################
>>> Some words of advice - to save time
>>>
>>> 1. While dealing with LDAP - pl test all your settings using the
>>> commandline first before using them for configuration in CAS. Execute the
>>> basic commands etc "ldapsearch" using your settings - first using the
>>> command line to ensure that your connections and values are working -
>>> before filling in the CAS properties as applicable in your case.
>>> 2. Pll don't blindly copy paste cas properties - think and understand
>>> what you are doing.
>>> 3. The only constraint that faced was that at the time of :"forget
>>> username" or "forget password" - there can be only be a single search query
>>> that can be defined - if you integrate with LDAP as against JDBC, where you
>>> can define 2 different queries - one for getting usename and another for
>>> fetching the email address etc. I overcame the above constraint - but
>>> setting the username = email , for my use case.
>>> 4. Before implementing a Directory Services as LDAP / ApacheDS - think
>>> if you already have access to your LDAP or any other directory services
>>> internally. All Standard Directory Services will offer you Password
>>> Policies Features, better use them before introducing a new software in
>>> your organization.
>>>
>>> Please feel free to contact me - if you have any further questions.
>>>
>>> Best Regards & Best Wishes for New Year 2021!
>>>
>>> Ritesh Tripathi
>>>
>>> On Thu, Dec 31, 2020 at 8:18 PM Chun-Yao Wang <[email protected]>
>>> wrote:
>>>
>>>> Dear Ritesh Tripathi:
>>>>
>>>> I have the same requirement with you.
>>>> I neet to *"Lock user account for 30min after 3 unsuccessful
>>>> login attempts"*
>>>> Could you give me more detail about how to configure ApereoCAS +
>>>> ApacheDS to achieve the requirements
>>>> ?
>>>> Great Thanks!!
>>>>
>>>> Ritesh Tripathi 在 2020年11月19日 星期四上午12:45:13 [UTC+8] 的信中寫道:
>>>>
>>>>> Updating this thread so that this may be useful to others:
>>>>>
>>>>> A. Started Using ApacheDS - https://directory.apache.org/apacheds/ as
>>>>> LDAP Server on windows machine.
>>>>> B. Delegated all the password policy constraints to ApacheDS. The
>>>>> apache DS can be administered via Apache Directory Studio and didn't do
>>>>> any
>>>>> implementation of custom code for implementing the same thing in JDBC.
>>>>> C. CAS worked wonderfully with LDAP authentication - including
>>>>> password update in LDAP at the time of password expiry etc.
>>>>>
>>>>> Thank you
>>>>>
>>>>> On Monday, 21 September 2020 at 19:57:25 UTC+5:30 [email protected] wrote:
>>>>>
>>>>>> I believe that the JDBC password policy settings are in the database
>>>>>> authentication settings:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#database-authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>> Specifically
>>>>>>
>>>>>>
>>>>>>
>>>>>> # cas.authn.jdbc.query[0].field-expired=
>>>>>>
>>>>>> # cas.authn.jdbc.query[0].field-disabled=
>>>>>>
>>>>>>
>>>>>>
>>>>>> Where both queries determine if an account is expired or disabled.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am not certain, but I think you need a separate system, other than
>>>>>> CAS, to expire and disable accounts in JDBC.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* [email protected] <[email protected]> *On Behalf Of *Ritesh
>>>>>> Tripathi
>>>>>> *Sent:* Sunday, September 20, 2020 12:50 PM
>>>>>> *To:* CAS Community <[email protected]>
>>>>>> *Subject:* [cas-user] Cas 6.2 - Implmentation of Custom Password
>>>>>> Policy for JDBC Authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hello All,
>>>>>>
>>>>>>
>>>>>>
>>>>>> We have a requirement that *"after 5 unsuccessful login attempts -
>>>>>> we need to lock the account for a day for the said user."*
>>>>>>
>>>>>>
>>>>>>
>>>>>> We are having a JDBC Authentication.
>>>>>>
>>>>>>
>>>>>>
>>>>>> We were just curious if anyone has implemented custom password policy
>>>>>> using groovy scripts or some other method for requirements as above.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The CAS documentation - seems to be specific for LDAP and other
>>>>>> cases. Was not able to get more information on JDBC.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings
>>>>>>
>>>>>>
>>>>>>
>>>>>> Will the groovy script method as given in above documentation link
>>>>>> work for JDBC as well ? Any comments or points to implement the above
>>>>>> type
>>>>>> and similar requirements.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> R
>>>>>>
>>>>>> --
>>>>>> - Website: https://apereo.github.io/cas
>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "CAS Community" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to [email protected].
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org
>>>>>>
>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>>
>>>
>>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8a7250ba-042d-4890-85b9-1a4bda5b0f50n%40apereo.org.
